A blog for Small Business Consultants and the vendors who serve them. It contains Opinions on business success, News in the SMB consulting space, and Information on what I'm up to.All material Copyright (c) 2006-2017 by Karl W. Palachuk unless otherwise noted.

Friday, July 26, 2013

SOP Friday: HIPAA Part One - Training

Background

HIPAA - The Health Insurance Portability and Accountability Act - has been largely ignored by small businesses since it was passed in the mid 1990's. The Privacy Rule of HIPAA was published in 2000 and modified several times since then. Major revisions were implemented this year and final enforce is effective September 23, 2013.

Under this rule, doctors, insurance companies, and other healthcare providers are "Covered Entities."

You come into the picture because you are a "Business Associate" under the Privacy Rule. A Business Associate is someone who performs services for a Covered Entity and may have access to individually identifiable patient health information. A Business Associate may also be someone who works for or with another Business Associate and has access to individually identifiable patient health information.

For example:
- Doctor Doolittle is a Covered Entity
- You - his managed service provider - are a Business Associate of Dr. D
- The company you work with to provide offsite backup services is a Business Associate of you

You are most directly affected by the HITECH Act (Health Information Technology for Economic and Clinical Health Act) associated with HIPAA. HITECH governs the security and disclosure rules around the technical side of patient records. This includes where data can be stored, how it can be stored, and the consequences of a data breach.

You must have a Business Associate Agreement in place for each Covered Entity you do business with by September 23rd. You must have a Business Associate Agreement in place for each Business Associate you do business with by September 23rd.

Key action point for you: You must have your Business Associate Agreements in place by Sept. 23rd!

The Three Faces of HIPAA

When we look at implementing HIPAA policies with our clients, we see three key elements: Training, Compliance, and Documentation. We'll cover a bit on training in this article. Next week we'll talk about compliance, which involves both assessment and remediation. The week after that we'll talk about documentation. You are not HIPAA compliant until you have documented everything that makes you HIPAA compliant.

HIPAA Training

You need some HIPAA training. Whether you take a class, buy a book, or read the government web site, you need to come up to speed on this stuff - or stop servicing Covered Entities. We have a minor vertical in healthcare, so we are working on everyone's compliance rather than giving up the clients.

Training is really a two-step process. First you need to get trained. Second, you should offer a bit of training for your clients. You might do the training yourself or resell a program such as 4Med.

Doctors - especially small Doctor offices - have worked very hard to ignore HIPAA as much as they can. One of the major changes this year is that penalties are being handed down to smaller and smaller Covered Entities. So there are more and more stories in the news about small doctors offices being fined large amounts of money. That will help you sell this.

In addition to that, enforcement has expanded so that state attorneys general can now enforce HIPAA compliance. That means pretty much any public agency can now be petitioned to enforce HIPAA. As a result, you'll see more and more small cases being brought up.

If you want to start gathering some examples for your newsletter or marketing materials, here are a couple of resources. First, I have started a Pinterest board about HIPAA here: http://pinterest.com/karlpalachuk/hipaa-news/. Second, you can set up a Google Alert (http://www.google.com/alerts) for HIPAA violations or HIPAA news and get regular emails about new information.

HIPAA training for you is not expensive - especially when you consider that it opens up a new world of opportunities to make money. Once you know the rules around HIPAA breaches and enforcement, you can sell training, assessments, remediation, and documentation. After that you can sell a managed service for HIPAA compliance maintenance. And you can market yourself again I.T. providers who are not HIPAA compliant and not able to deliver compliance services.

The Good News / Bad News

The good news for you is that there's lots of opportunity here. It's the law. It's been coming for almost 20 years. It's being enforced. Doctors, insurance companies, and other Covered Entities need you to come up to speed on HIPAA so they can be legal.

The bad news is that some doctors will simply refuse to comply. And you should fire them.

I talked to a doc last month who said that he was not worried. As far as he knows, he's fine. This is while carrying a laptop from exam room to exam room filled with patient records. I asked him where his HIPAA documentation was. Of course he had none. I informed him that even if he were compliant, he's still in violation of the law if he doesn't have it documented. He shrugged it off. "They won't come after me."

We can't have people like that as clients. We only need a tiny $50,000 fine to feel the pinch. A $500,000 fine would put us out of business.

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at SmallBizThoughts.com.

- - - - -

Next week's topic: HIPAA Part Two - Compliance

:-)

Register Today!

SMB Preday 2013

How to Create a Hugely Profitable Cloud Solution for Small Clients

A 4-Hour Hands-On Event!

October 9, 2013

1-5 PM

Las Vegas, NV

All-New Workshop Format

This year’s pre-day event will be a four-hour hands-on event … in which you will build your own cloud service offering and take that live experience back to your office, ready to offer to your clients! As a group, we’ll go over possible cloud offerings that you can resell. Then each attendee will work through exercises to sign up for reseller programs, create bundles, and design an overall strategy for making Lots of Money with cloud service offerings.

Super Early Bird Registration: TWO attendees for only $99

Plus all content will be provided to registrants whether you actually attend or not. Includes audio recording, slides, handouts, and workbook.

8 comments:

Great blog Karl. What it all comes down to is money. THe government wants more of it. Local, state, Federal. They They will use these fines as revenue sources for government agencies and third party auditing non profit agencies. The fines won't be huge, lets say they are $5K per incident, multiplied by 10K medical offices, MSP, other BA companiesthat dropped the ball on 1 part of a compliance rule. That's $50 MILLIONdollars in fines. But what if it's $10K and 50,000 fines? Well that's half abillion dollars. And that pays for a lot of government employee salaries andpensions. Welcome to the new HIPAA tax. They're from the government and they're hereto help.

I took the 4Med training and I am going to send my entire staff through it. I also looked at their HIPAA Documentation Bundle and their Risk Assessment. As an MSP, are those good products to bring myself compliant or is there a better (less costly) method? I might also note that I as setup to resell their services, so "eating my own dog food" might be a good idea. (by the way, I mentioned you referred my for what its worth) Thoughts?

Thanks, Jason. I don't know if they have a referral program. I'll wait to see if a check shows up. :-)

I am not sure about their bundle. I think it's geared for much larger clients than we have. Our largest HIPAA "eligible" client has about 30 employees. They were 70 five years ago, but they're government funded and ... well that's how things go.

Anyway, the 30-user shop will be much more complicated that the office with 5 doctors and 5 administrative staff. We're looking at various online and book resources.

4Med also hosts a very streamlined reseller program for HIPAA reports, products and services in addition to their training reseller programs. The program is growing rapidly, has vetted experts on tap to deliver the highest quality content and is lucrative for the MSP Partner. To learn more about our program... please reach out to Genave Daniel at g.daniel@4Medapproved.com or all (800) 671-1028 ext #35. Also join the 4medpronetwork.com for additional HIT programs and opportunities. And thank you Karl for the 4Med training plug.

We Donate with Every Sale!

Translate

Managed Services on Amazon

Hot Books for Managed Services

This four-volume set is the definitive guide to Managed Services. From the front office to the tech department, we cover it all. Every computer consultant, every managed service provider, every technical consulting company - every successful business - needs SOPs!

When you document your processes and procedures, you design a way for your company to have repeatable success. And as you fine-tune those processes and procedures, you become more successful, more efficient, and more profitable. The way you do everything is your brand.

How to Deliver Successful, Profitable Projects on Time with Your Small Business Clients

Small Business project management is simply not as complicated as project management in the enterprise. But small business projects have the same challenges as enterprise projects: They need to achieve their goals effectively, on time, and within budget.

They also face the same primary challenge – staying inside the scope of the project!

This great little book provides a simple process project planning and management process that is easy to learn and easy to teach to your employees, fellow technicians, and sub-contractors. You’ll learn to track any project, explain all the stages to clients and employees, and verify that everything is completed on time and under budget.

The authors show you a great technique for making sure that scope creep is a thing of the past! Make every project a successful and profitable project!

DNS and DHCP - On the Server or The Firewall? A few years ago, one of the major "truths" about our business changed. It had lo...

FTC Disclosure Statement

I make every attempt to honestly state what I believe and enjoy the freedom of posting whatever I feel like on this blog. This is a big complicated world and I have many interconnected personal and professional relationships.

I may in some way receive money or other benefits from any of the products, services, or companies mentioned in this blog as a direct or indirect result of my actions on and off this blog. Any experience mentioned here is just my experience and I have no knowledge about whether it represents a typical experience with any products, services, or companies mentioned.

Whenever it is possible to have both an honest and a misleading interpretation of my statements, please assume honesty. Thanks. - karlp